Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-05-2021 12:59
Static task
static1
Behavioral task
behavioral1
Sample
a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe
Resource
win10v20210408
General
-
Target
a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe
-
Size
517KB
-
MD5
0d0d474a1e1a09a0d9d5e8f375438475
-
SHA1
6e7ddc644600681ea16847191d2fe2b16375f0a7
-
SHA256
a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b
-
SHA512
3d3a0017253463cd45a1d38a28e02276f72a8d2cf073a7b49c40251ed63e59f3e56efbe7becf3b623f8d4b24d3047aa8dc536b95937a1a6ef044fe771863402a
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
bitsuser.exe~3553.tmpsrdeheme.exepid process 1768 bitsuser.exe 316 ~3553.tmp 1360 srdeheme.exe -
Loads dropped DLL 3 IoCs
Processes:
a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exebitsuser.exepid process 1096 a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe 1096 a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe 1768 bitsuser.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\compkmgr = "C:\\Users\\Admin\\AppData\\Roaming\\DpiSdVol\\bitsuser.exe" a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe -
Drops file in System32 directory 1 IoCs
Processes:
a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exedescription ioc process File created C:\Windows\SysWOW64\srdeheme.exe a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bitsuser.exeExplorer.EXEsrdeheme.exepid process 1768 bitsuser.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE 1360 srdeheme.exe 1248 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1248 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exebitsuser.exe~3553.tmpdescription pid process target process PID 1096 wrote to memory of 1768 1096 a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe bitsuser.exe PID 1096 wrote to memory of 1768 1096 a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe bitsuser.exe PID 1096 wrote to memory of 1768 1096 a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe bitsuser.exe PID 1096 wrote to memory of 1768 1096 a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe bitsuser.exe PID 1768 wrote to memory of 316 1768 bitsuser.exe ~3553.tmp PID 1768 wrote to memory of 316 1768 bitsuser.exe ~3553.tmp PID 1768 wrote to memory of 316 1768 bitsuser.exe ~3553.tmp PID 1768 wrote to memory of 316 1768 bitsuser.exe ~3553.tmp PID 316 wrote to memory of 1248 316 ~3553.tmp Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe"C:\Users\Admin\AppData\Local\Temp\a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Roaming\DpiSdVol\bitsuser.exe"C:\Users\Admin\AppData\Roaming\DpiSdVol\bitsuser.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\~3553.tmp"C:\Users\Admin\AppData\Local\Temp\~3553.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde3⤵PID:292
-
-
-
C:\Windows\SysWOW64\srdeheme.exeC:\Windows\SysWOW64\srdeheme.exe -k1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1360
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fd28ee7da4b9307e071efbd8b625795f
SHA1a43bffa92ef4e0d4141327e5317d30bebfc123f7
SHA25633c6ba5fff016036a33a0ce142bfccda861149341d5c3d5967bbfa883fa7c6fb
SHA5129d1fb27d4b413b0bbadae8e6cb62bcaf9e71f17599c31e168a3e7b529e9e5d3c202fe26c4de2dbae40268ca448038b933e6195e0dbc240b7ddf0eb0b1aa4ea92
-
MD5
95e6b839210f262edcb1724c178105ff
SHA119579a71ea56c175a44f0b9e00d5c9a714f5ff44
SHA256c108508a7537e587886b6172936f1322e2fe8e0159b08ee9ebb78080aa6330b7
SHA51216831f59bff48224c38201903661cc2c33891c08d865191d20b9e7f8082793571f37cbee18a5efdc020a526c9490a644037ad1aa43d8d2771783d0e99c669ce9
-
MD5
95e6b839210f262edcb1724c178105ff
SHA119579a71ea56c175a44f0b9e00d5c9a714f5ff44
SHA256c108508a7537e587886b6172936f1322e2fe8e0159b08ee9ebb78080aa6330b7
SHA51216831f59bff48224c38201903661cc2c33891c08d865191d20b9e7f8082793571f37cbee18a5efdc020a526c9490a644037ad1aa43d8d2771783d0e99c669ce9
-
MD5
0d0d474a1e1a09a0d9d5e8f375438475
SHA16e7ddc644600681ea16847191d2fe2b16375f0a7
SHA256a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b
SHA5123d3a0017253463cd45a1d38a28e02276f72a8d2cf073a7b49c40251ed63e59f3e56efbe7becf3b623f8d4b24d3047aa8dc536b95937a1a6ef044fe771863402a
-
MD5
0d0d474a1e1a09a0d9d5e8f375438475
SHA16e7ddc644600681ea16847191d2fe2b16375f0a7
SHA256a8f2b434dddca07d7e6961d8f3397d9b4fc229411bf5c6cf456db0b12cc1f81b
SHA5123d3a0017253463cd45a1d38a28e02276f72a8d2cf073a7b49c40251ed63e59f3e56efbe7becf3b623f8d4b24d3047aa8dc536b95937a1a6ef044fe771863402a
-
MD5
fd28ee7da4b9307e071efbd8b625795f
SHA1a43bffa92ef4e0d4141327e5317d30bebfc123f7
SHA25633c6ba5fff016036a33a0ce142bfccda861149341d5c3d5967bbfa883fa7c6fb
SHA5129d1fb27d4b413b0bbadae8e6cb62bcaf9e71f17599c31e168a3e7b529e9e5d3c202fe26c4de2dbae40268ca448038b933e6195e0dbc240b7ddf0eb0b1aa4ea92
-
MD5
95e6b839210f262edcb1724c178105ff
SHA119579a71ea56c175a44f0b9e00d5c9a714f5ff44
SHA256c108508a7537e587886b6172936f1322e2fe8e0159b08ee9ebb78080aa6330b7
SHA51216831f59bff48224c38201903661cc2c33891c08d865191d20b9e7f8082793571f37cbee18a5efdc020a526c9490a644037ad1aa43d8d2771783d0e99c669ce9
-
MD5
95e6b839210f262edcb1724c178105ff
SHA119579a71ea56c175a44f0b9e00d5c9a714f5ff44
SHA256c108508a7537e587886b6172936f1322e2fe8e0159b08ee9ebb78080aa6330b7
SHA51216831f59bff48224c38201903661cc2c33891c08d865191d20b9e7f8082793571f37cbee18a5efdc020a526c9490a644037ad1aa43d8d2771783d0e99c669ce9